-
Notifications
You must be signed in to change notification settings - Fork 5
/
attr-property-aliasing-test.js
93 lines (73 loc) · 3.51 KB
/
attr-property-aliasing-test.js
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
/**
* @license
* Copyright (c) 2017 The Polymer Project Authors. All rights reserved.
* This code may only be used under the BSD style license found at
* http://polymer.github.io/LICENSE.txt
* The complete set of authors may be found at
* http://polymer.github.io/AUTHORS.txt
* The complete set of contributors may be found at
* http://polymer.github.io/CONTRIBUTORS.txt
* Code distributed by Google as part of the polymer project is also
* subject to an additional IP rights grant found at
* http://polymer.github.io/PATENTS.txt
*/
goog.provide('security.polymer_resin.attr_property_aliasing_tests');
goog.require('goog.html.SafeUrl');
goog.require('goog.string.Const');
suite(
'AttrPropertyAliasingTests',
function () {
var buttons;
var propertyButton;
var attributeButton;
var customButton;
setup(function () {
buttons = fixture('attr-property-aliasing-fixture');
propertyButton = buttons.$$('.property-button');
attributeButton = buttons.$$('.attribute-button');
customButton = buttons
.$$('.custom-button')
.$$('button');
});
var TYPED_STRING_TEXT = 'javascript:safe(this)';
var SAFE_ACTION = goog.html.SafeUrl.fromConstant(
goog.string.Const.from(TYPED_STRING_TEXT));
var UNSAFE_ACTION = 'javascript:evil()';
var INNOCUOUS_ACTION = goog.html.SafeUrl.INNOCUOUS_STRING;
test('innocuous_action_via_attribute', function() {
buttons.setAttribute('action', '/safe');
assert.equal('/safe', propertyButton.getAttribute('formaction'));
assert.equal('/safe', attributeButton.getAttribute('formaction'));
assert.equal('/safe', customButton.getAttribute('formaction'));
});
test('innocuous_action_via_attribute_case_insensitive', function() {
buttons.setAttribute('ACTION', '/safe');
assert.equal('/safe', propertyButton.getAttribute('formaction'));
assert.equal('/safe', attributeButton.getAttribute('formaction'));
assert.equal('/safe', customButton.getAttribute('formaction'));
});
test('safe_action_via_property', function() {
buttons.action = SAFE_ACTION;
assert.equal(TYPED_STRING_TEXT, propertyButton.getAttribute('formaction'));
assert.equal(TYPED_STRING_TEXT, attributeButton.getAttribute('formaction'));
assert.equal(TYPED_STRING_TEXT, customButton.getAttribute('formaction'));
});
test('unsafe_action_via_attribute', function() {
buttons.setAttribute('action', UNSAFE_ACTION);
assert.equal(INNOCUOUS_ACTION, propertyButton.getAttribute('formaction'));
assert.equal(INNOCUOUS_ACTION, attributeButton.getAttribute('formaction'));
assert.equal(INNOCUOUS_ACTION, customButton.getAttribute('formaction'));
});
test('unsafe_action_via_attribute_case_insensitive', function() {
buttons.setAttribute('ACTION', UNSAFE_ACTION);
assert.equal(INNOCUOUS_ACTION, propertyButton.getAttribute('formaction'));
assert.equal(INNOCUOUS_ACTION, attributeButton.getAttribute('formaction'));
assert.equal(INNOCUOUS_ACTION, customButton.getAttribute('formaction'));
});
test('unsafe_action_via_property', function() {
buttons.action = UNSAFE_ACTION;
assert.equal(INNOCUOUS_ACTION, propertyButton.getAttribute('formaction'));
assert.equal(INNOCUOUS_ACTION, attributeButton.getAttribute('formaction'));
assert.equal(INNOCUOUS_ACTION, customButton.getAttribute('formaction'));
});
});